Configure module access policies for Field Encryption

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:8分

    • Create a module access policy to control which users, scripts, or system processes can encrypt or decrypt data encrypted by a field encryption module.

    始める前に

    Role required: security_admin and sn_kmf.cryptographic_manager or sn_kmf.admin

    You must have a published field encryption module to use this process. If you have not done so, see Configure Field Encryption modules.

    このタスクについて

    Module access policies (MAPs) are the access controls you apply to your field encryption modules to define which users, scripts, or system processes can encrypt or decrypt data. Configure MAPs for users (via roles), scripts, or processes running in the “system” context. Without a MAP, users, scripts, or system processes aren’t able to encrypt or decrypt data, which can result in end-to-end workflow processes not working correctly.

    MAPs are separate from access control lists (ACL), but can be used in combination with them. See Exploring Field Encryption for more information about the purpose behind MAPs.

    For Field Encryption Enterprise, review to plan for which users, scripts, or system processes need a MAP.

    手順

    1. Navigate to All > System Security > Field Encryption > Field Encryption Experience.
    2. Select Access Policieswithin the module's tile.
    3. In the Module Access Policy form, fill in the fields as needed.
      Field Description
      Policy Name Name of your MAP
      Type Decide who or what should have access to this MAP to encrypt or decrypt data.
      Scope
      Anything within the specified Application Scope has access to this MAP.
      Role
      Only users with the specific role can access this MAP.
      Script
      Ensure a specified script can access this MAP.
      System Access
      Allows processes running in “System Context” access to this MAP.
      Resource Exchange
      Allows for the Resource Exchange feature access to this MAP.

      For more information on how these different types of MAP work, see Exploring Field Encryption.
      Result Select one of the following:
      Track
      Permits access and monitors use of the MAP.
      Reject
      Rejects access unless a different MAP grants access.
      StrictReject
      Rejects access under all circumstances, even if a different MAP grants access.
      Crypto Module Select the field encryption module to be governed by this MAP.
      Crypto Spec Optional. Select or create a new Cryptographic Specification for this MAP.

      This field appears only when the Specify Purpose field is enabled.
      Active Enable to activate this MAP.
      Target Scope Select a scope to that this MAP applies to.

      This field appears only if the Type field is set to Scope.
      Target Role Select which role should have access to this MAP.

      This field appears only when the Type field is set to Role
      Target Script Choose the specific script of the type table selected in the Script Table field that should have access to this MAP.

      This field appears only if the Type field is set to Script.

      Approval Type Select either One Time or Recurring:
      One Time
      Allows for the symmetric data encryption key in the associated field encryption module to be securely shared to the target instance one time.
      Recurring
      Allows for the symmetric data encryption key in the associated field encryption module to be securely shared to the target instance on a recurring basis.

      This field appears only if the Type field is set to Resource Exchange.

      Target Instance Host Enter the URL for the target instance that the symmetric data encryption key in the associated field encryption module is being sent to.

      This field appears only if the Type field is set to Resource Exchange.

      Specify Purpose Optional. Enable to display the Crypto Spec field on the form. Enable this option to configure granular operations, such as some users being able to encrypt, but not decrypt.
      Granular Operation Optional. Select the cryptographic purpose for the Crypto Spec. The values available depend upon the type of Crypto Spec that is selected.

      For example, you can specify that this MAP only allows users to encrypt, but not decrypt, or the opposite, or both.

      This field appears only if there’s a value in the Crypto Spec field.
      • If a user has encrypt access, but not decrypt access, the field displays in edit mode and the data entered displays as asterisks.
      • If a user has decrypt access, but not encrypt access, the field displays the decrypted data in read-only mode.
      • If a user has encrypt and decrypt access, both read and write functionality are available for the encrypted field.
      Script Table Select which type of script applies to this MAP:
      • Access Control
      • Activity Designer
      • Business Rule
      • Inbound Email Action
      • Record Producer
      • Scheduled Script Execution
      • Script Include
      • UI Action
      • Widget
      • Workflow Activity

      This field appears only if the Type field is set to Script.
      Check Script Version When selected, the system checks the version of the script that is run with the version specified in the Target Script field. If the versions are different, the admin is notified.

      This field appears only if the Type field is set to Script.

      Impersonation When enabled, a user impersonating another user gains any MAP permissions from both users. If disabled, a user impersonating another user only has any MAP permissions that were granted to them from before the impersonation.
    4. Select Submit.